Safety Circuit Setup for Multiple Cabinets/Output Modules

[Jieve]

Thanks for the responses.

Jeev, the diagram you've drawn is very close. I've corrected it and am uploading our version.

PBuchanan, thanks for the input. I have always tried to pound into my students that they need to consider the operators, maintenance personel, troubleshooting time and potential downtime when designing and programming systems. In fact, a lot of the information we incorporate into the course has come directly from this board over the years.

 

[Jeev]

Things I notice about this design:

1) There is a single cascaded input linking the 3TK2825 and 3TK2841. You will lose most or all of your category between the zones as this is not dual channel.
2) It's just as important to teach people load sharing, as it is teaching them safety.
3) Don't be scared of using all the contacts on your contactors.
4) It looks like the 2825 will check for cross-circuit faults, but the 2841 will not.

Is the single phase supply being run through main contacts, or auxiliaries on K1 and K2?

Also, you previously mentioned that each Sub-Panel has an S7 in it. Does taking down the single phase supply also take down your PLCs in these sub panels?

 

[Jieve]

Jeev, thanks so much for your input.

1) Good catch, will have to look into this and see what safety rating this circuit is listed as in the little pamphlet that came with the device. How would you cascade relays like this and still keep them dual channel? Would you run the cascade input through the pair of safety contactors instead of a single output coming from the master safety relay?

2) This system is indoors in a classroom. Originally, everything was planned to run through a single 3-phase connection with the loads distributed similarly to how you had drawn them in your first diagram. The problem turned out to be that the load would be too much for the main 16A breaker installed in the classroom panel. For that reason, we decided to run all of the PLC's, etc off of one single-phase circuit, and the MCC off of the 3-phase. Not ideal, but unfortunately that's the way the classroom was wired.

3) I probably could/should have used more than one contactor contact for +24V going to the other cabinets. The reason we didn't is because the cable connectors for connecting the cables between cabinets are industrial 10-wire plugs (these were installed by someone previously) and we were trying to re-use them. The next level up would have been a 16-pin plug, and we would have needed to buy and re-wire all of the main cables between cabinets. This could have been prevented with better planning, but I wasn't involved in that decision at the time.

4) The Y35 connection on the 2841 turns on and off the cross circuit detection as far as I can tell looking at the manual. Looks like we should connect that.

The relays we are using are control relays/contactors with auxilliary blocks for extra contacts. Both the aux block and main body of the relays have contacts rated DC-13 10A. The single phase is being run through auxilliary contacts, 2 of the 3-phase contacts are running through the body and the other is also run through the aux block. I think the single phase draw is relatively close to this 10A value.

Yes, taking down the single phase supply (master safety relay) takes down the PLCs as well. It completely kills power to all of the cabinets.

 

[Jieve]

"The relays we are using are control relays/contactors with auxilliary blocks for extra contacts. Both the aux block and main body of the relays have contacts rated DC-13 10A."

Oops, sorry, that was for the DC 24V E-Stop contactors. The contactors used for the mains are rated at AC-12 10A.

 

[Jieve]

Jeev, actually now that I'm looking at it, I don't exactly see why I am losing redundancy (safety category) by cascading the relays the way that I have. Had I not cascaded them, the terminal 1 of the 3TK2841 would still be directly connected to +24V, just as it is now. And cascading it through a safety relay with internal redundancy makes a failure much more unlikely than having run it directly through a contactor. Could you possibly elaborate on this? Thanks!

Also, it seems for cross-circuit detection to be active, Y35 should NOT be connected to 24V. So it is currently wired for cross-circuit protection.

 

[Jeev]

Jeev, actually now that I'm looking at it, I don't exactly see why I am losing redundancy (safety category) by cascading the relays the way that I have. Had I not cascaded them, the terminal 1 of the 3TK2841 would still be directly connected to +24V, just as it is now. And cascading it through a safety relay with internal redundancy makes a failure much more unlikely than having run it directly through a contactor. Could you possibly elaborate on this? Thanks!

Also, it seems for cross-circuit detection to be active, Y35 should NOT be connected to 24V. So it is currently wired for cross-circuit protection.

How many wires are running between the 2 safety relays? Cascade input terminal 1 on the 3TK2841 is a standard +24V signal, which is not driven by an OSSD, a pulse, or dynamic. That means that any +24V short between 3TK2841.1 and 3TK2825.14 will render the cascade bypassed. Terminal 14 on the 3TK2825 is a dry contact, which means the short will go undetected on both systems. The Sub E-Stops will still work for the Sub Panels, however your Main E-Stop will now only work for the Main Panel. This is a single system fault that has gone undetected, and caused the failure of part of your safety function. Remember that the overall system is only as strong as the weakest part.

From a design point of view, I would supply the Sub panel PLCs with a constant phase, and supply the VFDs with the safe phase. Dropping PLCs when you hit an E-Stop is not great control behaviour, unless the system is specifically designed to operate like this, or you want to remove all phase power from the Sub Panels. I also notice that both the VFD phases and Safe Stops are being used on the drives. Often it is one or the other, and some drives, for example SEW MoviDrives, can fault if you use both.

There are a quite a few options for you with the hardware you have, but these 2 are the simple ones (In all cases keeping the cascaded input will work):

1) Put 4 NC contacts on the Main E-Stop. 2 contacts for the Main Relay and 2 Contacts in series with the Sub E-Stop on the Sub Relay. This isn't industry standard, and piling contacts on E-Stops may not be recommended by the manufacturers.

2) Run the single phase through contacts or auxiliaries on K3 and K4 as well as K1 and K2. The only comment I have here is that I don't like mixing voltage levels on contactors. Usually I will put phases through main contacts, and +24V DC through auxiliaries.

There are a few more flavours, but these will be the simplest to implement, troubleshoot, and teach.

When you are teaching people, you need them to understand that this design still ignores the cascaded Sub E-Stops, and the relay that has no cross-channel detection. Actually, absolutely everything discussed in this thread are good things for people who are learning to think about, whether it's a "Do", or a "Don't", or even a "Consider This". Sorry I haven't gotten back with an updated drawing, I've been flat out the last 2 days. I will get back on it when I'm free!

 

[adisharr]

To answer your questions; dropping the supply from a PLC output card is a control function. It is the same as turning your outputs off, but in hardware. This used to be classed as "safety" years ago, but it does not use safety hardware, nor is it redundant. If your only safety is dropping the +ve, -ve, or both from an output card, you're asking for a supply fault to render your design useless. Some of our much older machines have used this, and I cringe every time I see it.

I was under the impression he was talking about dropping power to the output cards through a safety relay.

 

[Jeev]

I was under the impression he was talking about dropping power to the output cards through a safety relay.

He is, and so am I. There should be a clear demarcation between "safety" and "control" when you are talking machine automation. Safety devices are peices of hardware which have been designed and certified for use in specifically these applications; however, standard PLC output cards have no safety certification whatsoever. The resulting behaviour of dropping PLC output card supply may be "safe", but it is not a safety rated system, and should it come to it; it will not stand up to scrutinisation by regulatory bodies.

Some would argue that at the end of the day it's all made from the same plastic and semiconductors, or that you can design equivalent systems with high Performance Levels from control equipment.... I would rather use the appropriate hardware, in a design that minimises the likelihood of personnel injury and/or machine damage.

Your system is only as robust as the weakest link

 

[adisharr]

He is, and so am I. There should be a clear demarcation between "safety" and "control" when you are talking machine automation. Safety devices are peices of hardware which have been designed and certified for use in specifically these applications; however, standard PLC output cards have no safety certification whatsoever. The resulting behaviour of dropping PLC output card supply may be "safe", but it is not a safety rated system, and should it come to it; it will not stand up to scrutinisation by regulatory bodies.

Some would argue that at the end of the day it's all made from the same plastic and semiconductors, or that you can design equivalent systems with high Performance Levels from control equipment.... I would rather use the appropriate hardware, in a design that minimises the likelihood of personnel injury and/or machine damage.

Your system is only as robust as the weakest link

You're right, that is a good point. I regularly drop individual output card power through safety contacts but also dump all the system air to any cylinders through a safety dump valve.

I can't really see how anything could be energized through a PNP output card with no output power (without a bunch of bizarre and highly unlikely series of events) but like you said, if it does come down to it, it isn't a safety rated device.

 

[Tharon]

He is, and so am I. There should be a clear demarcation between "safety" and "control" when you are talking machine automation. Safety devices are peices of hardware which have been designed and certified for use in specifically these applications; however, standard PLC output cards have no safety certification whatsoever. The resulting behaviour of dropping PLC output card supply may be "safe", but it is not a safety rated system, and should it come to it; it will not stand up to scrutinisation by regulatory bodies.

Some would argue that at the end of the day it's all made from the same plastic and semiconductors, or that you can design equivalent systems with high Performance Levels from control equipment.... I would rather use the appropriate hardware, in a design that minimises the likelihood of personnel injury and/or machine damage.

Your system is only as robust as the weakest link

I think I may be misreading or misinterpreting what you are saying. If you are physically cutting power to the PLC output section, then it doesn't matter what the PLC's outputs are doing, or what they are rated, because the power cannot reach them through the safety rated relay.

All my machines drop power to the PLC output sections controlling the dangerous motions for safety purposes. I thought that was the standard way to make the device "safe"?

Attached an image. It would seem that every control system would have to have a device at some point to actually control it. The safety relays are there to make sure that device can't do anything when it's not safe to.

 

[Jieve]

How many wires are running between the 2 safety relays? Cascade input terminal 1 on the 3TK2841 is a standard +24V signal, which is not driven by an OSSD, a pulse, or dynamic. That means that any +24V short between 3TK2841.1 and 3TK2825.14 will render the cascade bypassed. Terminal 14 on the 3TK2825 is a dry contact, which means the short will go undetected on both systems. The Sub E-Stops will still work for the Sub Panels, however your Main E-Stop will now only work for the Main Panel. This is a single system fault that has gone undetected, and caused the failure of part of your safety function. Remember that the overall system is only as strong as the weakest part.

From a design point of view, I would supply the Sub panel PLCs with a constant phase, and supply the VFDs with the safe phase. Dropping PLCs when you hit an E-Stop is not great control behaviour, unless the system is specifically designed to operate like this, or you want to remove all phase power from the Sub Panels. I also notice that both the VFD phases and Safe Stops are being used on the drives. Often it is one or the other, and some drives, for example SEW MoviDrives, can fault if you use both.

The VFD input phases are cut by the master safety relay, and the safe stop failsafe 24V inputs are cut by the 2841 relay. If the main phases are cut by the main E-Stop, then the VFDs have no power so I'm not really sure how activating the safe stops at that point would be an issue?

There are a quite a few options for you with the hardware you have, but these 2 are the simple ones (In all cases keeping the cascaded input will work):

1) Put 4 NC contacts on the Main E-Stop. 2 contacts for the Main Relay and 2 Contacts in series with the Sub E-Stop on the Sub Relay. This isn't industry standard, and piling contacts on E-Stops may not be recommended by the manufacturers.

2) Run the single phase through contacts or auxiliaries on K3 and K4 as well as K1 and K2. The only comment I have here is that I don't like mixing voltage levels on contactors. Usually I will put phases through main contacts, and +24V DC through auxiliaries.

#1 is an interesting idea, this would be easy to implement using dual contact as opposed to single blocks on the back of the E-Stop, as would solve the redundancy problem. You say this isn't common practice, but is there anything wrong with doing this?

#2 would cause the system to no longer work the way we want it to, because running the single-phase through the K3 and K4 contacts would cut all sub-cabinet power upon pressing any of the sub-cabinet E-stops.

There are a few more flavours, but these will be the simplest to implement, troubleshoot, and teach.

When you are teaching people, you need them to understand that this design still ignores the cascaded Sub E-Stops, and the relay that has no cross-channel detection. Actually, absolutely everything discussed in this thread are good things for people who are learning to think about, whether it's a "Do", or a "Don't", or even a "Consider This". Sorry I haven't gotten back with an updated drawing, I've been flat out the last 2 days. I will get back on it when I'm free!

Thanks a lot for doing this and the feedback!

He is, and so am I. There should be a clear demarcation between "safety" and "control" when you are talking machine automation. Safety devices are peices of hardware which have been designed and certified for use in specifically these applications; however, standard PLC output cards have no safety certification whatsoever. The resulting behaviour of dropping PLC output card supply may be "safe", but it is not a safety rated system, and should it come to it; it will not stand up to scrutinisation by regulatory bodies.

Some would argue that at the end of the day it's all made from the same plastic and semiconductors, or that you can design equivalent systems with high Performance Levels from control equipment.... I would rather use the appropriate hardware, in a design that minimises the likelihood of personnel injury and/or machine damage.

Your system is only as robust as the weakest link

As mentioned before, we are using pairs of standard contactors (control relays) controlled by the safety relays. For example, the relays we're using to switch +24V through the 2841 safety relay are a pair of Siemens 3RH1122-1BB40. You mention using only safety related components. Just to be clear, there is no issue using these types of auxillary contactors in safety systems, provided they meet the required failure life criterion, correct? Contactors are tried and true components with predictable failure.

Also, while we're at it, another question: The E-Stop switched +24V power supply line coming into each of the sub-cabinets and MCC is connected directly to a set of terminal blocks. These terminal blocks provide power to the PLC Output Cards, and in the case of the MCC, supply the constant 24V signal for the safe stops of each VFD. There is no issue in using terminal blocks for these connections in this way, correct?

Great Discussion.

 

[ivo.maenen]

Killing the power of your output-cards is not the correct way to do it depending on the risk-assesment and the PL- of SIL-level that is required. It can be, but only for the low risk-levels.

This is a link to a page of PILZ. I can not find an english page so I used the google-translator. If somebody has a link to an english URL, feel free to share it.

link

I think I may be misreading or misinterpreting what you are saying. If you are physically cutting power to the PLC output section, then it doesn't matter what the PLC's outputs are doing, or what they are rated, because the power cannot reach them through the safety rated relay.

Example: output Q0.0 controls contactor K1. K1 supply's the power to a motor.

You cut to power to Q0.0 but K1 his contacts are welded. The motor will still have power.

The safety relay can only pick up this fault before the start of the machine if a NC from K1 is wired into the feedback-loop of the safety-relay.

The same apply's for the pressure: you will need to monitor the pressure. Before the start it needs to be 0 bar for the dangerous actions.

 

[Jeev]

In addition to that, should you have a short between the relevant supply level and the terminals/wiring between your safety relay and output card; the safety relay might detect it and fault the system, however the output card now has a supply and is good to go. These sorts of concepts are usually used in conjunction with energy removal from the main electrical or mechanical supplies (Previously mentioned by people here). Solely removing supply from output cards meets a low risk assessment at best, by any standard (Cat/SIL/PL).

The VFD input phases are cut by the master safety relay, and the safe stop failsafe 24V inputs are cut by the 2841 relay. If the main phases are cut by the main E-Stop, then the VFDs have no power so I'm not really sure how activating the safe stops at that point would be an issue?

If the drives have no issue with this, go for it. Once you start dealing with drives that have separate control power and fieldbus comms, you will want to pick dropping phases or safe stops, but likely not both.

#1 is an interesting idea, this would be easy to implement using dual contact as opposed to single blocks on the back of the E-Stop, as would solve the redundancy problem. You say this isn't common practice, but is there anything wrong with doing this?

To be completely honest, I don't have an answer for that. I do happen to have enough experience with different control gear to know that the more contact blocks you stick on the back of the operator, the more flimsy the whole switch assembly becomes. Flimsy isn't a quality I look for in push-button or E-Stop assemblies.

#2 would cause the system to no longer work the way we want it to, because running the single-phase through the K3 and K4 contacts would cut all sub-cabinet power upon pressing any of the sub-cabinet E-stops.

Functionality noted.

Just to be clear, there is no issue using these types of auxillary contactors in safety systems, provided they meet the required failure life criterion, correct? Contactors are tried and true components with predictable failure.

This one wasn't aimed at your system. The regulations change subtly through parts of the world, but the one thing I notice about contactors and contacts is that they must be "Positively guided". I always found this interesting, because it means that solid state contactors don't comply with these regulations.

These terminal blocks provide power to the PLC Output Cards, and in the case of the MCC, supply the constant 24V signal for the safe stops of each VFD. There is no issue in using terminal blocks for these connections in this way, correct?

Not that I am aware of. Conceptually, terminal blocks add a point of failure, however I've never seen a regulation that specifically says not to use terminal blocks.

I'm not ignoring your Main/Sub panel design. I'm still flat out commissioning for an acceptance test on Monday Has anyone else noticed that this thread has over 800 views? A warm hello to all the stalkers out there

 

[Jieve]

Lots of great information in this thread.

Example: output Q0.0 controls contactor K1. K1 supply's the power to a motor.

You cut to power to Q0.0 but K1 his contacts are welded. The motor will still have power.

The safety relay can only pick up this fault before the start of the machine if a NC from K1 is wired into the feedback-loop of the safety-relay.

The same apply's for the pressure: you will need to monitor the pressure. Before the start it needs to be 0 bar for the dangerous actions.

My guess is that most people who are cutting the PLC output power are not using this as their ONLY safety measure. We have another system similar to the system we are building now, only more simple, and the motors are line-driven via reversing contactors. When E-Stop is pressed, PLC output card power is cut, but so is all of the 3-phase power going to the motors (all through safety relays/contactor pairs). Removing air pressure and shutting off 3-phase supplies to motors, for example, should be the main safety actions, but additionally cutting the power to the PLC outputs seems to me like an extra layer of safety.

 

[Phil Buchanan]

Let's clear the air a little.

First removing power from an output card to put its loads in a safe state is a perfectly acceptable method of doing so as long as the device removing the power meets the required safety rating such as a safety relay / contactor.

The rub here is it depends on the loads the Plc outputs are controlling which determines if you need to go further. For direct controlled loads this is all that's needed and for indirect controlled loads you may need to add additional protection depending on what the load is and the risks associated with it.

A Plc output driving a solenoid on an air valve would be a direct controlled load and a PLC output driving a motor starter contactor is an indirect controlled load and may need a a safety rated isolation contactor ahead of the motor starter again depending on what the motor does and the risks associated with it.

Seems like some are still trying to apply hard and fast rules to every situation and that does not work. If you have not done a risk assessment of the machine you can't say it must be this or that and say methods such as removing power from output cards using a safety relay is not a correct method when in fact it is the correct method in thousands of situations but it all depends on the load and the risks associated with it and that can only be determined by a risk assessment on that specific machine many times on its specific site.

Don't mean to be rude but there are a lot of conflicting statements and info in this thread because people are trying to apply hard rules to every situation and that's what makes safety confusing for the younger bunch reading the threads later.